Overview

I didn't find this one, but haven't noticed anyone mentioning it. Not digging into this much deeper, so I will dump the main aspects and move on.

This ransomware is called "zCrypt", which is based on the extension left on encrypted files as well as other artifacts. zCrypt has been observed being delivered via malspam. zCrypt utilizes a command and control server to check-in infected bots and also pass the encryption key from the server to the infected machine.

When executed, the malware creates a pop-up that appears to be benign-- likely to confuse a user while the malware talks to the command and control server and begins the encryption routine. The pop-up will continue to appear while the malware is running.

Ransom Note Details

There is a clickable link in the HTML note: "Click Here to Show Bitcoin Address". It appears the ransom note HTML will look for a locally created file "btc.addr" in "C:\Roaming" but the file is actually created in %APPDATA%\Roaming. The browser will throw an error when it cannot find it. I manually moved the file to the location it was looking for and it worked and revealed another BTC payment address.

ClamAV is a lightweight and open-source antivirus solution capable of many things. One popular use is as a mail/attachment scanner, while another useful implementation is in Cuckoo Sandbox to offer additional detection and data points. While there is a ruleset available directly from ClamAV/Cisco, there are also sevreral other feeds of ClamAV rules, such as SaneSecurity's offering. I recommend using several signature databases when using ClamAV to ensure the most coverage.

This tutorial is not about implementing ClamAV or running it in an organization. This is simply a basic guide to help an analyst kickstart writing ClamAV signatures for commonly observed threats. Before getting into anything, I highly recommend you grab a copy of the user manual from here as it will contain much more verbose information than what I will go over here.

Environment

First, grab ClamAV 0.99 and make sure it is installed on your lab environment. Latest version can be found here. Once you have ClamAV 0.99 installed, check the version by using the command clamscan -V which should return something like:

ClamAV 0.99/21475/Fri Mar 25 17:40:45 2016.

Secondly, grab a copy of oletools and get that set up to use in our test environment. Oletools can be downloaded here. This is an incredible toolset and will help greatly in extracting malicious macros we want to look at.

For ease, in my environment I have created two directories, one called "sigs" and one called "samples". These will serve as our two working directories for building and testing. This can be called whatever you want and placed wherever you want. Totally up to you.

Hybrid-Analysis will serve as our test ground, and this document will be what we sig. Please download this sample and place it into the "samples" directory (or wherever on your test environment). Hybrid-Analysis has excellent references for writing these signatures in their platform, so I highly recommend checking out the report for hints. As of now, (March 26th 2016), there is not an official ClamAV signature that is hitting on this.

Working with ClamAV

In your test environment, it will be useful to have a local set of rules you use for testing and tweaking. This will make troubleshooting and keeping track of what you are working on much easier. In my "sigs" folder I have created a file called "local-rules.ldb". ClamAV has several types of database rule types:

ldb

Logical signatures

Logical signatures allow combining of multiple signatures in extended format using logical operators. They can provide both more detailed and flexible pattern matching.

hdb

Hash-based Signatures

The easiest way to create signatures for ClamAV is to use filehash checksums, however this method can be only used against static malware.

hsb

SHA1 and SHA256 hash-based signatures

mdb

PE section based hash signatures

Scanning files with our rules is as easy as adding the "-d" flag and providng the path to the ruleset you would like to scan with. To do a quick test, we can create a quick hash based signature for our doc to ensure our setup is working properly:

Writing a Logical Signature

While hash based signatures are okay, I think we can all agree that it is not a very scalable solution. Furthermore, many email campaigns will deliver attachments with different hashes. So while you could catch one specific malicious attachment with hash-based sigantures, we want to catch variants via logical signatures.

Straight forward. Call it whatever you want. We can go with something mundane like "ClamAV.MalDoc.VBM" for now.

TargetDescriptionBlock:

This is where we can specify quite a few things, but most importantly: the file type this signature is meant to detect on. Right now it is 0-12, with each digit representing a different file type.

In this case we will use "Target:2" as 2 == OLE2 containers, including their specific macros. The OLE2 format is primarily used by MS Office and MSI installation files.

Logical Expression

This is where we will insert our boolean logic for detecting on our content matches. This uses operands like "&" for "and", "|" for "or", as well as "=", "<", ">".

SubSigN

These are our contents that will be matched upon and serve as the basis for detection. These also will be what we use in our logical expression.

A key thing to remember with these signatures is that the contents and rule options are seperated by a semi-colon. This is important, because your rule will error if they are left out. Again, there are many other options and indepth features in addition to what I explained here, but I won't be covering all of them.

File Analysis

With our target document downloaded, placed in a directory where we can scan and analyze it, we are ready to begin writing.

First, we should take a look at the doc to determine what is going on with it and what will be good to match on. For this document we will focus solely on the macros within it. We could, for example, write a signature on the "lure" if it contained one (e.g. "This document is protected, please enable macros to view!"). Taking a look at the macro contained in the document is as easy as using oletools' "olevba.py" as seen here:

Which will return a lot of content, but we want to focus first on the last box of info that it spits out:

This has some valuble strings as well as good IOC data. Going back into Hybrid-Analysis, we can see a similar set of details in their platform here:

We should begin to make a list of suspicious strings that will be good for our signature. The idea is that this combination is likely going to end up poorly for the person opening it, thus we should make note and use them in our sig:

Output,Print #,Open,CreateObject,Environ,DoEvents

Each of these strings become a SubSig that will be represented as a number in our Logical Expression. So, for here, "Output" would be content "0", "Print #" is "1", and so on. These strings should be converted to hex, as ClamAV will only match directly on hex.

One way to do this would be to run $ echo "Output" | xxd -p which gives us the hex version of "Output" or "4f75747075740a". Repeat this for the other strings we have identified. Furthermore, we can add modifiers to the contents such as making it caseless, etc. Content modifiers are enabled by adding two colons (::) after the hex string, and then placing the flag. So, to make "Output" caseless, it would look like this: 4f75747075740a::i;. The last content in the list of SubSigs does not require a semi-colon.

Additionally, we want to ensure we cover down on the various Auto* strings that a macro might use (DocumentOpen, AutoExec, etc) so it is imperative to keep a running tally of different kinds, or at the very least ensure it makes it in. It is better to have several in case the macro switches up what it decides to use. With some suspicious strings identified, we also probably want to match on the main loop being iterated in the macro, which we can see in the olevba.py output:

For this, we can utilize the PCRE abilities that ClamAV has. With PCREs in ClamAV, they must always be anchored by a content (will get into), and start with a forward slash ("/") as well as end with a forward slash. I am sure there are multiple ways to write PCREs on this guy, but this is the PCRE I wrote to detect on part of the loop:

ClamAV has a decent PCRE implementation and allows for using several flags as well (seen at the end of the PCRE). The ClamAV document has a longer list, but here are a couple useful ones:

i

Case insensitive

s

PCRE_DOTALL, matches across line breaks

m

Multiline matching

Putting it all together

Armed with our content matches and PCRE, we can start to build out a solid ClamAV signature. First, we will begin with the signature name. As mentioned above, we can just go with "ClamAV.MalDoc.VBM". Name is important, but more useful to make a format and stick with it for all of your sigs.

ClamAV.MalDoc.VBM;

Second, we will implement the TargetType, which will be 2. As discussed above this is the number for MS Office docs.

ClamAV.MalDoc.VBM;Target:2;

Third, will begin to build out the Logical Expression to put all of our contents together. Remember our contents are considered numbers now? Here is where it comes into play. So, after converting our contents into hex: 4f7574707574;5072696e742023;4f70656e;4372656174654f626a656374;456e7669726f6e;446f4576656e7473 we can start building out the Logical Expression:

We can then, add in our PCRE and anchor it to the first content so it works. In this case it isnt super important, just needs an anchor to work. Be sure to keep track of the content numbers, and add the PCRE as a new content in the Logical Expression:

As mentioned before, we want to account for the various Auto open functions a macro might use, so we will incorporate those and add a logical "or" to account for them. Be sure to place an ampersand (&) infront of the new contents or else we will get an error:

If it doesnt fire, or gives errors here are some common things to check:

Ensure the logical operands contain proper operands (a & in the right spots)

Ensure there is a semi-colon between all sections of the rule (except for the final one)

Ensure there is not a new-line or any other malarkey after the rule in your ldb file

ClamAV has great error output, so it should help track down problems.

Final Thoughts

ClamAV is a great solution for detecting malicious behavior in documents, executable, exploits and many other file types. I think being able to write and know about ClamAV as a whole is a good toolset for any analyst. Here I provided some foundational knowledge on how to write and work with ClamAV signatures for the 0.99 engine.

If you have any feedback or questions please email me at jack@malwarefor.me.
Additionally, you can reach out on Twitter or follow for for updates

AlphaCrypt 'Howto_RESORE_FILES.txt' Details

++++++==============================================================================================================+++++++======-
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
++++++==============================================================================================================+++++++======
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way.
If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://alcov44uvcwkrend.paybtc798.com/[Redacted]
2. http://alcov44uvcwkrend.btcpay435.com/[Redacted]
3. https://alcov44uvcwkrend.onion.to/[Redacted]
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: alcov44uvcwkrend.onion/[Redacted]
4. Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal pages:
http://alcov44uvcwkrend.paybtc798.com/[Redacted]
http://alcov44uvcwkrend.btcpay435.com/[Redacted]
https://alcov44uvcwkrend.onion.to/[Redacted]
Your personal page (using TOR-Browser): alcov44uvcwkrend.onion/[Redacted]
Your personal identification number (if you open the site (or TOR-Browser's) directly): [Redacted]
++++++==============================================================================================================+++++++======

CryptoWall 'HELP_YOUR_FILES.txt' Details

Cannot you find the files you need? Is the content of the files that you have watched not readable?
It is normal because the files’ names, as well as the data in your files have been encrypted.
Congratulations!!!
You have become a part of large community #CryptoWall.
---
If you are reading this text that means that the software CryptoWall has removed from your computer.
---
What is encryption?
Encryption is a reversible transformation of information in order to conceal it from unauthorized persons but providing at the same time access to it for authorized users. To become an authorized user and make the process truly reversible i.e. to be able to decrypt your files you need to have a special private key.
In addition to the private key you need the decryption software with which you can decrypt your files and return everything in its place.
---
I almost understood but what do I have to do?
The first thing you should do is to read the instructions to the end.
Your files have been encrypted with the CryptoWall software; the instructions that you find in folders with encrypted files are not viruses, they are your helpers.
After reading this text 100% of people turn to a search engine with the word CryptoWall where you'll find a lot of thoughts, advice and instructions.
Think logically - we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them.
Any of your attempts to restore your files with the third-party tools can be fatal for encrypted files.
The fact is that changing data within the encrypted file (as 100% of software to restore files do this, except the special decryption software) you break damage to the file and it will be impossible to decrypt the file.
This is the same as to collect a mosaic when some mosaics items were lost, broken or not put in its place - the picture will not emerge, the software to restore the files will not be able to lay down the picture, and ruin it completely and irreversibly.
Using the software to restore files can ruin your files forever, only through your fault.
Remember that any intervention of the extraneous software to restore files encrypted with the Cryptowall software may be the point of no return.
---
In case if these simple rules are violated we will not able to help you, and we will not try because you have been warned.
For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product.
After purchasing the software package you can:
1. Decrypt all your files.
2. Work with your documents.
3. View your photos and other media content.
4. Continue your habitual and comfortable work at the computer.
If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.
There is a list of addresses below through which you can get on your personal page:
1.3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted]
2.3wzn5p2yiumh7akj.marketcryptopartners.com/[redacted]
3.3wzn5p2yiumh7akj.forkinvestpay.com/[redacted]
4.3wzn5p2yiumh7akj.effectwaytopay.com/[redacted]
What do you have to do with these addresses?
If you browse the instructions in TXT format (if you have instruction in HTML (the file that has an icon of your Internet browser) then for the sake of simplicity it is better to run it):
1. Look at the address number 1 (in this case it is 3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted]).
2. Select it with the mouse cursor holding the left mouse button and moving the cursor to the right.
3. Release the left mouse button and press the right one.
4. In the menu that appears select “Copy”.
5. Run your Internet browser (if you do not know what it is run the Internet Explorer).
6. Move the mouse cursor to the address bar of the browser (this is the place where the site address is written).
7. Click the right mouse button in the field where the site address is written.
8. In the menu that appears select the button “Insert”.
9. The address 3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted] must appear there.
9. Press ENTER.
10. The site must load; if it does not load, repeat the same instructions with the address number 2 and so on until the final address if falling.
If for some reason the site does not open check the connection to the Internet; if the site still does not open see the instructions on omitting the point about working with the addresses in the HTML and PNG instructions.
If you browse the instructions in HTML format:
1. Click the left mouse button on the address number 1 (in this case it is 3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted]).
2. In a new tab or window of your web browser the site must load; if it does not load, repeat the same instructions with the address number 2 and so on until the final address/.
If for some reason the site does not open check the connection to the Internet; if the site still does not open see the instructions on omitting the point about working with the addresses in the PNG instructions.
If you browse the instructions in PNG format:
1. We are very sorry but unfortunately your antivirus deleted instructions files in the TXT and HTML format for your comfortable work and most importantly for help to restore access to your files.
2. Try to enter the address of your page manually from a picture, good luck and patience for you.
Unfortunately, these sites are temporary because the antivirus companies are interested that you cannot restore your files but continue to buy their products.
Unlike them we are ready to help you always.
If the temporary sites are not available and you need our help:
1. Run your Internet browser (if you do not know what it is run the Internet Explorer).
2. Enter or copy the address into the address bar https://www.torproject.org/download/download-easy.html.en your browser and press ENTER.
3. Wait for the site loading
4. On the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed.
5. Run Tor-Browser.
6. Connect with the button Connect (if you use the English version).
7. After initialization a normal Internet browser window will be opened.
8. Type or copy the address 3wzn5p2yiumh7akj.onion/[redacted] in this browser address bar.
9. If for some reason the site is not loading, wait a moment and try again.
If you have any problems during installation or operation of TorBrowser, please, visit www.youtube.com and type request in the search bar “install tor browser windows”. As a result you will see a training video on TorBrowser installation and operation.
If TOR address was unavailable for a long time (2-3 days) it means you were late; on average you have about 2 weeks after reading the instructions to restore your files.
---
Additional information:
Instructions to restore your files are only in those folders where you have encrypted files.
For your convenience the instructions are made in three file formats - html, txt, and png.
Unfortunately, antivirus companies cannot protect and moreover restore your files but they make things worse removing the instructions to restore encrypted files.
The instructions are not malwares; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.
---
CryptoWall Project is not malicious and is not intended to harm a person and his/her information data.
The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection.
Together we make the Internet a better and safer place.
----------
If you oversee this text in the Internet and understand that something is wrong with your files and you have no instructions to restore the files, contact your antivirus support.
----------
Remember that the worst has already happened and now the further life of your files depends directly on your determination and speed of your actions.

HELP_YOUR_FILES.txt

Entire contents of the text file dropped by Cryptowall 4.0

Cannot you find the files you need? Is the content of the files that you have watched not readable?
It is normal because the files’ names, as well as the data in your files have been encrypted.
Congratulations!!!
You have become a part of large community #CryptoWall.
---
If you are reading this text that means that the software CryptoWall has removed from your computer.
---
What is encryption?
Encryption is a reversible transformation of information in order to conceal it from unauthorized persons but providing at the same time access to it for authorized users. To become an authorized user and make the process truly reversible i.e. to be able to decrypt your files you need to have a special private key.
In addition to the private key you need the decryption software with which you can decrypt your files and return everything in its place.
---
I almost understood but what do I have to do?
The first thing you should do is to read the instructions to the end.
Your files have been encrypted with the CryptoWall software; the instructions that you find in folders with encrypted files are not viruses, they are your helpers.
After reading this text 100% of people turn to a search engine with the word CryptoWall where you'll find a lot of thoughts, advice and instructions.
Think logically - we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them.
Any of your attempts to restore your files with the third-party tools can be fatal for encrypted files.
The fact is that changing data within the encrypted file (as 100% of software to restore files do this, except the special decryption software) you break damage to the file and it will be impossible to decrypt the file.
This is the same as to collect a mosaic when some mosaics items were lost, broken or not put in its place - the picture will not emerge, the software to restore the files will not be able to lay down the picture, and ruin it completely and irreversibly.
Using the software to restore files can ruin your files forever, only through your fault.
Remember that any intervention of the extraneous software to restore files encrypted with the Cryptowall software may be the point of no return.
---
In case if these simple rules are violated we will not able to help you, and we will not try because you have been warned.
For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product.
After purchasing the software package you can:
1. Decrypt all your files.
2. Work with your documents.
3. View your photos and other media content.
4. Continue your habitual and comfortable work at the computer.
If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.
There is a list of addresses below through which you can get on your personal page:
1.3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted]
2.3wzn5p2yiumh7akj.marketcryptopartners.com/[redacted]
3.3wzn5p2yiumh7akj.forkinvestpay.com/[redacted]
4.3wzn5p2yiumh7akj.effectwaytopay.com/[redacted]
What do you have to do with these addresses?
If you browse the instructions in TXT format (if you have instruction in HTML (the file that has an icon of your Internet browser) then for the sake of simplicity it is better to run it):
1. Look at the address number 1 (in this case it is 3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted]).
2. Select it with the mouse cursor holding the left mouse button and moving the cursor to the right.
3. Release the left mouse button and press the right one.
4. In the menu that appears select “Copy”.
5. Run your Internet browser (if you do not know what it is run the Internet Explorer).
6. Move the mouse cursor to the address bar of the browser (this is the place where the site address is written).
7. Click the right mouse button in the field where the site address is written.
8. In the menu that appears select the button “Insert”.
9. The address 3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted] must appear there.
9. Press ENTER.
10. The site must load; if it does not load, repeat the same instructions with the address number 2 and so on until the final address if falling.
If for some reason the site does not open check the connection to the Internet; if the site still does not open see the instructions on omitting the point about working with the addresses in the HTML and PNG instructions.
If you browse the instructions in HTML format:
1. Click the left mouse button on the address number 1 (in this case it is 3wzn5p2yiumh7akj.partnersinvestpayto.com/[redacted]).
2. In a new tab or window of your web browser the site must load; if it does not load, repeat the same instructions with the address number 2 and so on until the final address/.
If for some reason the site does not open check the connection to the Internet; if the site still does not open see the instructions on omitting the point about working with the addresses in the PNG instructions.
If you browse the instructions in PNG format:
1. We are very sorry but unfortunately your antivirus deleted instructions files in the TXT and HTML format for your comfortable work and most importantly for help to restore access to your files.
2. Try to enter the address of your page manually from a picture, good luck and patience for you.
Unfortunately, these sites are temporary because the antivirus companies are interested that you cannot restore your files but continue to buy their products.
Unlike them we are ready to help you always.
If the temporary sites are not available and you need our help:
1. Run your Internet browser (if you do not know what it is run the Internet Explorer).
2. Enter or copy the address into the address bar https://www.torproject.org/download/download-easy.html.en your browser and press ENTER.
3. Wait for the site loading
4. On the site you will be offered to download TorBrowser; download and run it, follow the installation instructions, wait until the installation is completed.
5. Run Tor-Browser.
6. Connect with the button Connect (if you use the English version).
7. After initialization a normal Internet browser window will be opened.
8. Type or copy the address 3wzn5p2yiumh7akj.onion/[redacted] in this browser address bar.
9. If for some reason the site is not loading, wait a moment and try again.
If you have any problems during installation or operation of TorBrowser, please, visit www.youtube.com and type request in the search bar “install tor browser windows”. As a result you will see a training video on TorBrowser installation and operation.
If TOR address was unavailable for a long time (2-3 days) it means you were late; on average you have about 2 weeks after reading the instructions to restore your files.
---
Additional information:
Instructions to restore your files are only in those folders where you have encrypted files.
For your convenience the instructions are made in three file formats - html, txt, and png.
Unfortunately, antivirus companies cannot protect and moreover restore your files but they make things worse removing the instructions to restore encrypted files.
The instructions are not malwares; they have informative nature only, so any claims on the absence of any instruction files you can send to your antivirus company.
---
CryptoWall Project is not malicious and is not intended to harm a person and his/her information data.
The project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection.
Together we make the Internet a better and safer place.
----------
If you oversee this text in the Internet and understand that something is wrong with your files and you have no instructions to restore the files, contact your antivirus support.
----------
Remember that the worst has already happened and now the further life of your files depends directly on your determination and speed of your actions.

AlphaCrypt Details

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)
What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.
For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below:
1. http://lk2gaflsgh.jgy658snfyfnvh.com/[redacted]
2. http://dg62wor94m.sdsfg834mfuuw.com/[redacted]
3. https://djdkduep62kz4nzx.onion.to/[redacted]
If for some reasons the addresses are not available, follow these steps:
1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: djdkduep62kz4nzx.onion/[redacted]
4. Follow the instructions on the site.
IMPORTANT INFORMATION:
Your personal pages:
http://lk2gaflsgh.jgy658snfyfnvh.com/[redacted]
http://dg62wor94m.sdsfg834mfuuw.com/[redacted]
https://djdkduep62kz4nzx.onion.to/[redacted]
Your personal page (using TOR): djdkduep62kz4nzx.onion/[redacted]
Your personal identification number (if you open the site (or TOR 's) directly):[redacted]